Making a Secure Transition to IPv6

Moving your network from IPv4 to IPv6 can be risky if you don’t close security holes

In February 2011, the last blocks of IPv4 Internet addresses were allocated, highlighting the need for organizations everywhere to plan their transition to IPv6, the next generation Internet protocol. Because the move to IPv6 is happening gradually, applications will support both Internet protocols for some time—and so must your network. During the transition from IPv4 to IPv6 your network could become vulnerable to new security risks, so it’s critical that you phase in the new protocol as securely as possible.

Because the two Internet protocols are not interchangeable, your small business network will have to run both of them simultaneously until IPv4 is fully phased out. The two protocols can share the same physical network, meaning you don’t need to run new cables or separate wireless access points to support IPv4 and IPv6, but the two types of traffic will be kept separate on your network. And though some of the devices on your network will run only IPv4 traffic, newer devices will run IPv4 and IPv6, acting as a bridge as you transition your network to the new protocol. And this dual environment is where security complications can arise, both with new IPv6 devices and the technologies used to allow IPv4 and IPv6 to coexist.

Because every device that connects to your network or the Internet will eventually have to support IPv6, you need to make sure they’re protected by your network security measures. You should apply preventative measures to all of your routers, switches, PCs and laptops, printers, smartphones, tablets, and surveillance cameras as you transition to IPv6. Note that many of these devices can be upgraded from IPv4 to IPv6 through a firmware (or software) upgrade or a new Ethernet card. Some devices, though, will need to be replaced with newer equipment that natively supports IPv6 and are backwards compatible with IPv4.

All eyes on IPv6

Currently, most of the organizations that have upgraded to IPv6 are very large enterprises, such as telecom providers and branches of the U.S. government that were mandated to be IPv6-compliant by this time. With so few active users, especially compared to the millions of companies running IPv4 applications, hackers and other attackers couldn’t profit by exploiting any vulnerabilities in IPv6 networks and applications. However, this will change as more network devices with native IPv6 functionality are released and more organizations upgrade their networks and applications.

Security experts believe that cyber criminals will soon focus more of their malicious attention on IPv6, creating new tools to attack undiscovered vulnerabilities in IPv6 products. The best way to protect your small business network is by methodically checking any new device for IPv6 capabilities. You want to make sure that IPv6 hasn’t been turned on automatically before you’ve configured your entire network to securely handle IPv6 traffic.

In addition, you need to make sure that the devices running in your dual environment have identical security settings. All of the security settings you configured for your IPv4 equipment should be replicated on your new IPv6 devices, including any traffic blocks or filters. Make sure, too, that the IPv6 network has antivirus, antimalware, firewalls, and intrusion prevention applications in place. For instance, your firewall should be configured to filter IPv6 traffic as well as IPv4 traffic.

Some of your older devices might not be able to process IPv6 traffic and will simply pass the traffic through your network without checking it for attacks. Because there’s no reason for IPv6 traffic to be on your IPv4-only network, you should set up a filter on these devices that stops IPv6 traffic from entering your IPv4 network. Keep in mind, though, that one way to transition from IPv4 to IPv6 is by allowing IPv4 traffic to carry IPv6 data packets within it. If you choose this method, called tunneling, you’ll have to use more sophisticated security measures to protect against hidden attacks on your dual environment.

Securing new technologies

New IPv6 devices aren’t the only possible security risks related to the new protocol. The techniques and technologies used to transition from IPv4 to IPv6 may also create vulnerabilities in your network. There are two ways to make the two incompatible protocols coexist in a dual environment on your network: tunneling and dual stack.

Tunneling allows IPv6 data packets to be encapsulated within IPv4 data packets. IPv6 traffic being carried into your network in IPv4 packets through IPv4-enabled firewalls can pose a security risk if that IPv6 traffic includes an attack. To protect your network from attacks that come in via tunneling, you should consider a firewall or a router with a built-in intrusion prevention system (IPS), such as the Cisco 500 Series Secure Routers, that does packet inspection, which reveals the type of traffic traveling through the tunnels.

A dual stack environment is the easiest way for a small company to support both protocols. Network devices, such as managed switches, run both an IPv4 stack and an IPv6 stack at the same time, which allows the devices to communicate with either protocol. The important thing to remember with this transition technology is that the access control lists (ACLs) that you set up for your IPv4 devices are not automatically transferred to your new IPv6 devices. Because IPv6 supports automated neighbor discovery and address creation, new devices can automatically generate both local and global IPv6 addresses without any user interaction, allowing them to be more easily exploited You’ll need to set up ACLs for IPv6 to control the traffic that flows in and out of your network. This will prevent an attacker from gaining access to IP addresses on your network and using them to access your company’s resources on your network.

Making a secure transition to IPv6 isn’t all that different from securing other new technologies on your network. You make sure your existing defenses protect the new equipment, you configure the equipment to adhere to your network security policies, and you keep a vigilant eye on the traffic that flows into your network. Also, it’s important to check every device on your network for different security settings and to discover all the possible entry points for IPv6 traffic, especially on new devices.

Unlike other upgrades you may make to your network, phasing in IPv6 isn’t optional. Eventually, IPv4 will fade from use and all traffic traversing the Internet will be IPv6—so you need to support it. Luckily, the switch to IPv6 is a good thing for small businesses. IPv6 is designed to improve application performance on the Internet as well as to provide room for millions of new IP addresses—enough so that every device, from desktops and smartphones to alarm systems, has a unique address on the Internet. The new protocol provides better security and faster performance over virtual private networks (VPNs). And Mobile IPv6 provides better support for new mobile technologies and applications with more reliable voice and video performance. Perhaps most importantly, IPv6 makes networks like yours easier to manage.

What steps are you taking to transition your small business network to IPv6?

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.